Cyber Insurance Coverage Gaps Widen as Insurers Lag on AI Risks
The gap between cyber risk exposure and actual insurance protection is widening. Inconsistent policy language and slow adaptation to emerging threats are leaving organizations with hidden coverage gaps, according to Jennifer Wilson, head of cyber at Newfront.
The core problem is lack of standardization. Each insurer defines cyber risk differently, with its own limits and exclusions. This makes comparing quotes nearly impossible. "It's very difficult to compare apples to apples from one quote to another," Wilson said.
Policies are updated more frequently than in the past, but not fast enough to match real-world attacks. AI-related exposures lack clear policy language, forcing brokers to negotiate custom terms case by case. "Insurance moves slowly, and it's very difficult to get policy language to meet up with the current types of attacks we're seeing," Wilson said.
Generalist Brokers Create Structural Vulnerability
Many organizations place cyber coverage through advisors without specialized expertise. This creates a structural weakness in the market. Wilson said cyber risk requires dedicated knowledge because the market changes constantly.
Policy revisions that once happened every few years now occur quarterly. Without daily engagement in cyber insurance, brokers and clients miss critical shifts in coverage terms. "If you're not in it daily, you're going to miss something," Wilson said.
Underwriting expectations now extend beyond technical security controls. Insurers focus increasingly on business practices around data usage and privacy. Third-party litigation tied to data collection and consent has introduced new scrutiny into how organizations collect, store, and share information.
From Technical Controls to Governance
Meeting baseline security requirements is no longer enough to secure or maintain coverage. Organizations need an integrated approach across legal, compliance, IT, and executive leadership.
Employee training on phishing and wire fraud remains critical. Incident response planning has become a defining factor in both resilience and insurability. Pre-breach preparation-including clear protocols and alignment with insurers and legal counsel-matters significantly.
A defined position on ransomware payments is essential. Without a clear strategy, organizations lose time during attacks, worsening operational and reputational damage. Wilson described a healthcare case where internal indecision prolonged a crisis while threat actors escalated pressure on patients.
AI Coverage Requires Integration, Not Standalone Policies
Some have proposed standalone AI insurance policies. Wilson argued this approach is impractical. "AI is not a separate coverage type. It's a process," she said.
The future of coverage depends on embedding AI considerations into existing policies across multiple lines: cyber, professional liability, general liability, and employment practices. As AI becomes integral to business operations, its risks will appear in diverse ways-from discrimination claims to bodily injury scenarios involving automated systems.
The industry faces a structural challenge: aligning coverage with a threat environment that is both dynamic and difficult to model. For brokers and risk managers, the priority is shifting from price optimization to strategic risk transfer. Expertise, preparation, and policy clarity will determine who is adequately protected and who is not.
Organizations seeking deeper understanding of these risks should consider resources on AI for Insurance to better align their risk strategies with evolving threats.
Your membership also unlocks:
